What's the best practice to keep out normal API app key secret from users?
We have two issues:
1. How we make sure all project collaborators can still keep a local key without Unity breaking references to the NormcoreAppSettings file? (This file is not git tracked)
2. How do we deploy binaries to clients without sharing that secret key?
4 Replies
Hi @RoyNexus. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:
----------------------
To keep your Normcore API app key secret from users, you can follow these steps:
1. For project collaborators, you can use a
.gitignore
file to exclude the NormcoreAppSettings
file from your repository. This way, each collaborator can have their own local copy of the file with the key, and it won't be tracked or shared via Git. This should prevent Unity from breaking references to the NormcoreAppSettings
file.
2. For deploying binaries to clients, you should ensure that the key is not embedded in the client-side code. Instead, you can use a server-side script to authenticate with Normcore servers. This script should be hosted on a secure server that you control, and it should communicate with the client-side code using secure methods. This way, the key is never exposed to the client.
Please note that these are general best practices and may need to be adapted to your specific project and workflow. For more detailed guidance, you may want to consult the Normcore documentation (https://normcore.io/documentation) or contact NormalVR support.
----------------------
Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:
----------------------<@362795742198235136> kapa.ai is still learning and improving, please let us know how it did by reacting below
you can programmatically create NormcoreAppSettings objects
whatever you’d use to obfuscate an API secret can be used with that method
in two months or so we’re launching a new dashboard that will support a REST api for creating app keys. you can use that with your own server to only send app keys to clients that have verified their entitlement and aren’t patched too
great, thanks for the reply. We'll do that for now then